Cobalt strike usage among cybercriminals has increased by 161%, according to researchers at Proofpoint. Cobalt Strike is a legitimate, commercially available tool that is utilized by network penetration testers, however, it is abused by cybercriminals to conduct cyberattacks. Proofpoint tracked the year-over-year increase of the tool by analyzing the number of real-world attacks in which Cobalt Strike was utilized. The company states that they witnessed the tool being used to target tens of thousands of organizations, therefore utilized by more cybercriminals and malware operators than advanced persistent threat actors or operators who prefer general commodity malware, according to a report published by Proofpoint on Tuesday. The information pertains to year-over-year data between 2019 and 2020, however, Proofpoint asserts that the usage of Cobalt Strike has likely not decreased and remains a hot commodity.
Cobalt Strike operates by sending out beacons to detect network vulnerabilities, simulating an attack. However, threat actors have turned it against networks to deliver malware, exfiltrate data, and create fake command and control profiles that are seemingly legit and therefore are able to avoid detection. Proofpoint’s research follows Recorded Future’s documentation of the spike in Cobalt Strike usage among cybercriminals. Recorded Future assessed the situation following a leak of the tool’s source code from GitHub in November 2020. According to Proofpoint’s report, Cobalt Strike appeared in attack chains during initial access, execution, and persistence, representing a move towards utilizing the tool as an initial access payload rather than a second-stage tool.